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Clwm 1 - 2 (canceled) 

1 Oaim 3 (cunetttily amended): Tl>e method accordiD® to Claim [[l]3i& 

2 the resources is an executable method. 

1 Claim 4 (curtttitly amended): The method aoooi^g to Claim [[l]]i2tWhCTciaa^ 

2 the icsources is a column of a database table. 

1 Claim S (currently amended): The method according to Claim [[I]] 12, wherein at least one of 

2 the resources is a row of a database table. 

1 Claim 6 (currendy amen<ted): The metihiod accoitling to Claim [[1]] J2» wherein at leas^ 

2 file resources is a file and each of the.at least one the permi t ted ac tions [ [on]] identified for the at 

3 lAQiyt ftrw» rf>cftiirrj^ nrp ftlt> i^T^ ApftratirtfiR thflft cs^ he perfcBTmed on the file. 

1 Claim 7 (currently amended): Tbie meflbod aocoithng to Claim [[1]] 12, ^^djerein at lea^ one of 

2 the resources is a fanction call to a fixoction of an executable {wogram. 

1 Claim 8 (cunently ameaded): The meAod accordiiig to Claim [[1]] 1£ wfaereia at lead one of 

2 rtift regmireeft is an Rntgrprise jRvaBean rFJB'*^ and each of Ae at least one ate peiml tt ed a ctions 

3 [[on]} identified for the at least one resource are methods that can be perfbnned on &e EJB. 
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1 Claim 9 (cuirartly amended): The 0)ethod according to Claim [[11]^ 

2 the resources is a servlct and each of the at least one die utiml t ted a ctions [[on]] !4?f^tifie4,fi>r the 

3 at least one lesouice are mettiods that can be performed by [[of]] the servlet 

1 Claim 10 (currently amended): Hie method according to Claim [[1]] 12* wbearein at least one of 

2 the i«sources is a Unifbnn Resource Identifier CVBS^ and gach of th^ ^ Qfl^ Un!. pamitttd 

3 actions [[on]] identified for the at least one resource are methods v^*ich reference the URL 

1 Claim 11 (currently amended): TliemetlK)dacc<Mdingto Claim [[1]] 12.^^^^ 

2 the resources is a JavsServer Pagp ("JSF*) and e^h of Ae at leastjane die ymultltd turtions 

3 [[on]] identified for the at least one resource are methods refererioed from die JSP. 

1 ClBim l2 (currently amended): The method according to Claim ([1]] 1§» ^wdserein at least one of 

2 the resources is any resource tlmt is expressiUe to the security system and eachof the at least one 

3 th e p e routt e d a ctions [[on]] id«itified for the at least one resource are selected fiom a set of 

4 actions that are permitted on that resource. 

Claims 13 - 18 (canceled) 

1 Claim 1 9 (new): A computer-implemented method for enfcNCcing role-permission security 

2 adtmnisttation u^ng security objects stored in a security repository^ comprising steps of: 
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3 Storing, in a security repository, a plurality of security objects, v*ercin eadi of the 

4 security ol:gects corresponds to a six^e role; 

5 specifying, in each of the security objects* all permissions granted to the corresponding 

6 roIe» >(dierein each of the specified permissions Identifies at least one resource and, for eadi 

7 resource, at least one action that can be p^ormed the resource by subjects granted the 
S conesponding role, wherein selected ones of the resources are identified in ^e specified 

9 permissions of more than one of the security objects and wherein the specified permissions for at 

1 0 least one of the security objects identifies a phirality of resource and for each of the plurality of 

1 1 resources, at least one of the actions; and 

1 2 using the stored security objects to determii^ Mdiether rmHime requests for performing 

13 actions on the resources can be granted* 

1 Claim20(new): Tie method aocordirig to Claim 19, ^ere the usirig step fur& 

2 eadi of the run-time requests, the steps of: 

3 determining, for the run-time request, a requester fiom which tibe request was received, 

4 and a particular action being requested on a particular resource; 

5 determining one or more roles granted to the requester; and 

6 until determining that the request can be ^:anted or exhausting the determined roles, 

7 iteratively accessing the security object corresponding to each one of the determined roles and if 

8 the accessed security object identifies the requested action on the requested resource, then 

9 deterntinirig that the request can be granted. 
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1 aaim 21 (new): Tlicmetfiodaccorfmgto Claim20,\vi^ 

2 moiemlesftxitherconqMises the steps 

3 using an identification of the requester as a user identification to consult a mapping that 

4 specifies, for eadi of a plundity of subjects, one ot more roles associated therewith, >^*efein each 

5 of the sutg ects i s specified as at least one of ( 1 ) an identification of one or more users and (2) an 

6 identification of one or mote user groups» thereby determining each role associated with the 

7 identification of the requester; 

8 detennining one or tnore us^ groups of ^^cb the requester is a member; and 

9 using each of ttie determined user groups as a user group identification to consuh the 
10 mapping, therein determining each role associated with Ihede^^ 

1 Clatm 22 (new): The method according to Claun 19, where the using step fiirther comprise, for 

2 each of the run-time requests, the steps of: 

3 detennining, fot the mn-time request, a requester from which the request was received, 

4 and a paiticdar action being requested on a particular resource; and 

5 d^enniiung fhsA the run-lime request can be granted only if the requester has been 

6 granted at least one of ttte roles which is required, according to the stored security objects, to 

7 perform the requested action on the requested resource. 

1 Claim 23 (new): A system for ^forcing njle^permission security adm^ 

2 objects stored in a security repository, comprising: 

3 a security repository for storing a plurality of security objects, ^witetein each of the 
Serial No. 09/943,61 8 -5- RSW920010125US1 
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4 security objects coirespotKls to a single fole; 

5 means fijT spedfying, in each of the secnrity objects^ all permissions granted to the 

6 cottcspomiing role> wherein each of the specified pormissions identifies at least one resotiioe and, 

7 for each resource, at least one action that can be performed on the re$^ 

8 die corresponding lole, wherein selected ones of the resources are identified in the specified 

9 permissions of more than one of the security objects and wherein the specified permissions for at 

10 least one of the security objects identifies a plurality of resources and for each of the plurality of 

11 resources^ at least one ofthe actions; and 

12 means for using the stored security ol:gects to detomine whether run-time requ^ts for 

13 perforiniiig actions on the resources can be grarxted 



1 Claim 24 (new): Tlw system according to Qaim 23, where the means for using'fiirther 

2 comprises means ibr performing, for eachof flie run-time requests, steps of: 

3 determining, for the run-time request^ a requester fix»n which the request was received, 

4 and a particular acti<m being reqxtested on a particular resource; 

5 determining one or more roles granted to the requester; and 

6 until determining dKtt the request can be granted or exhausting the determined roles, 

7 itetatively accessing the ^curity object corresponding to each one of the determined roles and if 

8 the accessed security otgect identifies the requested £K:tion on the requested resource, tt^ 

9 determining that the request can be granted. 

1 Claim 25 (new): A computer program product for enforcing n^le-peraQisston sec^ 
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2 admiiiiatiatiOD using securi^ objects stored in a second reposftory, Ae computer program 

3 product comprising computer-readable code embodied on one or more coni^ter-usable media, 

4 the oomputerHreadable code comprising uistructions that when executed on a computer cause the 

5 computer to: 

6 store» in a security repository, a plwalily of security objects, wterein each of the security 

7 objects corresponds to a single role; 

8 specify, in each of the security obgects* all pexmissions granted to the corresponding role, 

9 wdierein each of the specified p^missions identifies at least one resource and, ftnr each resource, 

10 at least one action that can be perfbxxned on the resource by subjects granted the corresponding 

1 1 role, wherein selected ones of tte resource are identified in the specified pertnissions of more 

12 than one of the security objects and wherein tl^ specified permissions for at least one of &e 

13 security otgects identifies a plurality of resources and for each of the plurality of resources, at 

14 least one of the actions; and 

15 use the stcHed security obj ects to determine Afstether runrtime requests for performing 

16 actions on the resources can be granted. 

1 Claim 26 (new): the computer program product according to Claim 25^ where the instnicti 

2 that cause the compute to use the stored security objects fiirther comprise instructions that cause 

3 the computer, for each of the runtime requ^, to: 

4 determine, for the run-time request, a requester fiom which the request was received, and 

5 a particular action being requested on a particular resource; and 

6 determine that ibe ron-time request can be granted only if the requester has been gritted 
Serial No. 09/943,618 -7- RSW92001012SUS1 
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